Listed here is yet another argument against “normal” certificates for onion domains. The thing is which they e with an OCSP responder target. Hence, the browser will go and contact that responder, possibly deanonymizing your. Just what fb need to have complete should has OCSP responses stapled – without it, the problem is additionally worse than unencrypted http.
No, it’s not going to on some
No, it will not on some browsers. Arguably this is exactly an internet browser insect, yet still, stapling the OCSP reaction will make the bug benign.
Tor Internet Browser must have
Tor Browser will need to have impaired OCSP long since, it’s worse than pointless because it has to FAIL START since a lot of responders is unreliable. noisebridge /OCSP
What about altering the Tor
What about altering the Tor web browser, to make sure that although all traffic in actuality is sent through simple HTTP over Tor for .onion, the internet browser showcases it , using padlock, to ensure that people feeling assured it is encoded effectively. Possibly even approach it is as HTTPS for combined content material and referer and this type of, while nevertheless maybe not in fact being it.
That could steer clear of the overhead of working both Tor’s and HTTPS’s encryption/end-to-end-authentication, and get away from enforcing the mercial CA model, while nevertheless avoiding frustration from people.
Really should not be carried out in that
Should not be carried out in in that way. Best make different padlock revealing at content which utilized tightly via undetectable services. And see people about that.
As for naming chat rooms for asian challenges, I
A) rebrand “location-hidden provider” as well as the .onion pseudo TLD to “tor provider” and .tor (while keeping backward accessibility to .onion) (*)
(*) there clearly was most likely a big “dont brand items” discussion, that’s mostly in line with the concept of “ownership”. The munity which subscribe to the rule own the code, but it’s copylefted with an extremely permissive license (thus forkable), as well as the community possession is actually marketed amongst those people that subscribe to they (relays, bridges, directories etc.). Therefore, I begin to see the branding/ownership discussion as bad.
Ultimately, In my opinion it is *excellent* that Twitter has actually included a .onion address. I pletely disagree due to their business design, and do not need what they are selling, but their extension to the tor network will increase the authenticity with the community in eyes of this improperly educated, and may even increase the training of these munity.
Actually one discussion in support
Isn’t one argument in support of utilizing https for hidden service it enables verification of consumers through client certificates? (Obviously, this is simply not an argument that’s strongly related the myspace case).
“chances are they got some points
“chances are they had some techniques whoever term begun with “facebook”, and additionally they checked the second 50 % of every one of them to pick out the people with pronouncable and therefore memorable syllables. The “corewwwi” one looked better to them. “
I find that story hard to feel. Exactly how many conotations did they have to examine to track down corewwwi? It surely must-have come many, massive amounts, or even more?
I don’t buy it either. More likely a huge pany like Twitter desires an easy-to-remember target and contains the information for that.
I am not great with C, but I would personally want to help out using design for your newer onion providers. What can be the best way to assist?
ments on role
There’s one other reason for attempting to have https to an onion address: promise that not any other .onion webpages are proxying/MITMing this service membership’s facts stream, by revealing that the .onion target enjoys a key in fact held (or at least authorized) by the a person who owns the website.
